Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: russia (12 articles)Clear

New Russian CTRL toolkit spreads via fake private key folders - hijacks RDP and steals credentials

Researchers at Censys discovered a previously undocumented Russian-origin toolkit called CTRL, distributed through Windows shortcut files disguised as private key folders. Once a victim double-clicks the LNK file, a multi-stage chain deploys credential harvesting through a fake Windows Hello PIN prompt, a keylogger, RDP session hijacking, and reverse proxy tunneling. All stolen data exits through the RDP tunnel, leaving minimal forensic traces compared to traditional command-and-control patterns.

Check
Warn staff about Windows shortcut files received via email or messaging, especially any labeled as private keys or credentials.
Affected
Any Windows system where a user opens the malicious LNK file. The toolkit targets .NET Framework 4.7.2 environments.
Fix
Block the domains hui228[.]ru and IPs 146.19.213.155, 194.33.61.36, 109.107.168.18. Train staff to never open shortcut files from untrusted sources. Monitor for unusual FRP tunnel traffic on port 7000.

Russian APT TA446 weaponizes leaked DarkSword exploit kit to target iPhones via spear-phishing

The leaked DarkSword iOS exploit kit is already being weaponized. Proofpoint attributes a new spear-phishing campaign to TA446 (also known as COLDRIVER/Star Blizzard), a Russian FSB-linked group that has never previously targeted Apple devices. The emails spoof Atlantic Council discussion invitations and redirect iPhone users to the exploit kit, which deploys the GHOSTBLADE dataminer. Proofpoint warns the targeting is unusually broad - hitting government, finance, legal, and education sectors.

Check
Ensure all company iPhones and iPads are updated, and alert staff about spoofed discussion invitation emails.
Affected
iPhones running iOS 18.4 through 18.7.1. TA446 targets government, think tank, higher education, financial, and legal organizations.
Fix
Update to iOS 18.7.2 or later. Block the domains escofiringbijou[.]com, motorbeylimited[.]com, and bridetvstreaming[.]org. Enable Lockdown Mode on high-risk devices.